External risk intelligence

Attacker bypasses security checks on your public services

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-33807

A flaw in @fastify/express can let attackers bypass security checks like logins on your public-facing web services, giving them unauthorized access.

4Halo Surface Signal

Fastify\/express

before 4.0.5

External exposure likelihood

Halo Surface Signal score for CVE-2026-33807

The vulnerability affects a middleware library for the Fastify web framework. Because this framework is primarily used to build public-facing web applications and APIs, the vulnerable attack surface is typically exposed to the internet in common deployments.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in @fastify/express could allow bypassing security controls like authentication and rate limiting. It occurs when child plugins are registered with a prefix that matches a middleware path, causing that path to be incorrectly doubled. This means that critical security measures might not be applied to certain routes, potentially exposing them.

Unauthorized access to routes.
Security protections like authentication fail.
Affects web applications and APIs.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability to bypass all security controls like authentication and authorization for specific routes. This is possible if a web application uses an affected version of `@fastify/express` and has child plugins registered with prefixes that match middleware paths. By exploiting the doubled path handling, an attacker can access protected functionality without proper credentials.

Unauthenticated network access needed.
Targets Express middleware security.
No special request crafting required.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for a complete bypass of security controls like authentication and authorization without special configuration. The direct impact on protected routes makes it an attractive target for attackers seeking unauthorized access to applications built with this library. However, its specific use within the Fastify ecosystem might limit the immediate scope compared to more general vulnerabilities.

Public exploit code is not yet observed.
No KEV listing indicates less immediate targeting.
The vulnerability is recent, suggesting ongoing assessment.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize upgrading @fastify/express to version 4.0.5 or later to address a critical middleware bypass vulnerability. This issue allows unauthenticated access to routes within child plugin scopes by manipulating path handling. Teams should immediately identify all instances of this library and apply the fix to prevent unauthorized access and potential data breaches.

Upgrade @fastify/express to 4.0.5.
Monitor traffic for bypassed controls.
Inventory affected services and plugins.

Frequently asked questions

What is @fastify/express and what is it used for?

@fastify/express is a component used with the Fastify web framework. It allows developers to integrate middleware, which are functions that can process requests before they reach the main application logic. This is commonly used for tasks like authentication, logging, and data validation in web applications and APIs.

What kind of weakness does CVE-2026-33807 represent?

CVE-2026-33807 is a path handling vulnerability, categorized as CWE-436. This means that the software incorrectly handles file or resource paths, leading to unintended consequences. In this case, it causes middleware security checks to be bypassed.

How can an attacker trigger this vulnerability?

This vulnerability is triggered when a child plugin within the @fastify/express system is registered with a prefix that matches an existing middleware path. This specific configuration causes the path to be incorrectly doubled, preventing the middleware from being applied to requests for routes within that child plugin's scope. No special request crafting is needed.

Who should be concerned about CVE-2026-33807?

Organizations using @fastify/express versions prior to 4.0.5 in their Fastify applications should be concerned. Since Fastify is often used for internet-facing web applications and APIs, this vulnerability is classified as external and has a 'Likely' exposure score, suggesting a significant portion of deployments may be accessible to attackers.

What is the first step to address this threat?

The immediate first step is to upgrade the @fastify/express library to version 4.0.5 or a later version. This upgrade addresses the underlying path handling issue that leads to the bypass of security controls. After upgrading, it's advisable to monitor application traffic for any unexpected or unauthorized access.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.